📄 filterinput.php
字号:
<?php/** * @version $Id: filterinput.php 11324 2008-12-05 19:06:24Z kdevine $ * @package Joomla.Framework * @subpackage Filter * @copyright Copyright (C) 2005 - 2008 Open Source Matters. All rights reserved. * @license GNU/GPL, see LICENSE.php * Joomla! is free software. This version may have been modified pursuant to the * GNU General Public License, and as distributed it includes or is derivative * of works licensed under the GNU General Public License or other free or open * source software licenses. See COPYRIGHT.php for copyright notices and * details. */// Check to ensure this file is within the rest of the frameworkdefined('JPATH_BASE') or die();/** * JFilterInput is a class for filtering input from any data source * * Forked from the php input filter library by: Daniel Morris <dan@rootcube.com> * Original Contributors: Gianpaolo Racca, Ghislain Picard, Marco Wandschneider, Chris Tobin and Andrew Eddie. * * @package Joomla.Framework * @subpackage Filter * @since 1.5 */class JFilterInput extends JObject{ var $tagsArray; // default = empty array var $attrArray; // default = empty array var $tagsMethod; // default = 0 var $attrMethod; // default = 0 var $xssAuto; // default = 1 var $tagBlacklist = array ('applet', 'body', 'bgsound', 'base', 'basefont', 'embed', 'frame', 'frameset', 'head', 'html', 'id', 'iframe', 'ilayer', 'layer', 'link', 'meta', 'name', 'object', 'script', 'style', 'title', 'xml'); var $attrBlacklist = array ('action', 'background', 'codebase', 'dynsrc', 'lowsrc'); // also will strip ALL event handlers /** * Constructor for inputFilter class. Only first parameter is required. * * @access protected * @param array $tagsArray list of user-defined tags * @param array $attrArray list of user-defined attributes * @param int $tagsMethod WhiteList method = 0, BlackList method = 1 * @param int $attrMethod WhiteList method = 0, BlackList method = 1 * @param int $xssAuto Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1 * @since 1.5 */ function __construct($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1) { // Make sure user defined arrays are in lowercase $tagsArray = array_map('strtolower', (array) $tagsArray); $attrArray = array_map('strtolower', (array) $attrArray); // Assign member variables $this->tagsArray = $tagsArray; $this->attrArray = $attrArray; $this->tagsMethod = $tagsMethod; $this->attrMethod = $attrMethod; $this->xssAuto = $xssAuto; } /** * Returns a reference to an input filter object, only creating it if it doesn't already exist. * * This method must be invoked as: * <pre> $filter = & JFilterInput::getInstance();</pre> * * @static * @param array $tagsArray list of user-defined tags * @param array $attrArray list of user-defined attributes * @param int $tagsMethod WhiteList method = 0, BlackList method = 1 * @param int $attrMethod WhiteList method = 0, BlackList method = 1 * @param int $xssAuto Only auto clean essentials = 0, Allow clean blacklisted tags/attr = 1 * @return object The JFilterInput object. * @since 1.5 */ function & getInstance($tagsArray = array(), $attrArray = array(), $tagsMethod = 0, $attrMethod = 0, $xssAuto = 1) { static $instances; $sig = md5(serialize(array($tagsArray,$attrArray,$tagsMethod,$attrMethod,$xssAuto))); if (!isset ($instances)) { $instances = array(); } if (empty ($instances[$sig])) { $instances[$sig] = new JFilterInput($tagsArray, $attrArray, $tagsMethod, $attrMethod, $xssAuto); } return $instances[$sig]; } /** * Method to be called by another php script. Processes for XSS and * specified bad code. * * @access public * @param mixed $source Input string/array-of-string to be 'cleaned' * @param string $type Return type for the variable (INT, FLOAT, BOOLEAN, WORD, ALNUM, CMD, BASE64, STRING, ARRAY, PATH, NONE) * @return mixed 'Cleaned' version of input parameter * @since 1.5 * @static */ function clean($source, $type='string') { // Handle the type constraint switch (strtoupper($type)) { case 'INT' : case 'INTEGER' : // Only use the first integer value preg_match('/-?[0-9]+/', (string) $source, $matches); $result = @ (int) $matches[0]; break; case 'FLOAT' : case 'DOUBLE' : // Only use the first floating point value preg_match('/-?[0-9]+(\.[0-9]+)?/', (string) $source, $matches); $result = @ (float) $matches[0]; break; case 'BOOL' : case 'BOOLEAN' : $result = (bool) $source; break; case 'WORD' : $result = (string) preg_replace( '/[^A-Z_]/i', '', $source ); break; case 'ALNUM' : $result = (string) preg_replace( '/[^A-Z0-9]/i', '', $source ); break; case 'CMD' : $result = (string) preg_replace( '/[^A-Z0-9_\.-]/i', '', $source ); $result = ltrim($result, '.'); break; case 'BASE64' : $result = (string) preg_replace( '/[^A-Z0-9\/+=]/i', '', $source ); break; case 'STRING' : // Check for static usage and assign $filter the proper variable if(isset($this) && is_a( $this, 'JFilterInput' )) { $filter =& $this; } else { $filter =& JFilterInput::getInstance(); } $result = (string) $filter->_remove($filter->_decode((string) $source)); break; case 'ARRAY' : $result = (array) $source; break; case 'PATH' : $pattern = '/^[A-Za-z0-9_-]+[A-Za-z0-9_\.-]*([\\\\\/][A-Za-z0-9_-]+[A-Za-z0-9_\.-]*)*$/'; preg_match($pattern, (string) $source, $matches); $result = @ (string) $matches[0]; break; case 'USERNAME' : $result = (string) preg_replace( '/[\x00-\x1F\x7F<>"\'%&]/', '', $source ); break; default : // Check for static usage and assign $filter the proper variable if(is_object($this) && get_class($this) == 'JFilterInput') { $filter =& $this; } else { $filter =& JFilterInput::getInstance(); } // Are we dealing with an array? if (is_array($source)) { foreach ($source as $key => $value) { // filter element for XSS and other 'bad' code etc. if (is_string($value)) { $source[$key] = $filter->_remove($filter->_decode($value)); } } $result = $source; } else { // Or a string? if (is_string($source) && !empty ($source)) { // filter source for XSS and other 'bad' code etc. $result = $filter->_remove($filter->_decode($source)); } else { // Not an array or string.. return the passed parameter $result = $source; } } break; } return $result; } /** * Function to determine if contents of an attribute is safe * * @static * @param array $attrSubSet A 2 element array for attributes name,value * @return boolean True if bad code is detected * @since 1.5 */ function checkAttribute($attrSubSet) { $attrSubSet[0] = strtolower($attrSubSet[0]); $attrSubSet[1] = strtolower($attrSubSet[1]); return (((strpos($attrSubSet[1], 'expression') !== false) && ($attrSubSet[0]) == 'style') || (strpos($attrSubSet[1], 'javascript:') !== false) || (strpos($attrSubSet[1], 'behaviour:') !== false) || (strpos($attrSubSet[1], 'vbscript:') !== false) || (strpos($attrSubSet[1], 'mocha:') !== false) || (strpos($attrSubSet[1], 'livescript:') !== false)); } /** * Internal method to iteratively remove all unwanted tags and attributes * * @access protected * @param string $source Input string to be 'cleaned' * @return string 'Cleaned' version of input parameter * @since 1.5 */ function _remove($source) { $loopCounter = 0; // Iteration provides nested tag protection while ($source != $this->_cleanTags($source)) { $source = $this->_cleanTags($source); $loopCounter ++; } return $source; } /** * Internal method to strip a string of certain tags * * @access protected * @param string $source Input string to be 'cleaned' * @return string 'Cleaned' version of input parameter * @since 1.5 */ function _cleanTags($source) { /* * In the beginning we don't really have a tag, so everything is * postTag */⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -